Ask Your Question
0

Swift works for admin but not for myuser

asked 2019-09-01 07:58:45 -0500

Ion42 gravatar image

Hi,

following the standard Stein installation manuals, I have authentication problems with swift. The admin user works fine, but the demo user "myuser" runs into permission denied. Last year with Queens everything was fine.. To be honest I don't get what needs to be done to allow "myuser" to user swift or how to get more details ....

Sorry for bothering you, maybe someone has an idea?

BR, Ion


> root@control:~# . admin-openrc
> 
> root@control:~# swift stat
>                         Account: AUTH_02f3a8cf8fb54dfea8d4846468b3bfad
>                      Containers: 2
>                         Objects: 1
>                           Bytes: 688 Containers in policy "policy-0": 2   
> Objects in policy "policy-0": 1
>      Bytes in policy "policy-0": 688
>     X-Account-Project-Domain-Id: default
>          X-Openstack-Request-Id: tx82d8999edde0459c8c37b-005d6bb55c
>                     X-Timestamp: 1567163751.67438
>                      X-Trans-Id: tx82d8999edde0459c8c37b-005d6bb55c
>                    Content-Type: application/json; charset=utf-8
>                   Accept-Ranges: bytes
> 

> 
> root@control:~# . demo-openrc
> 
> root@control:~# env | grep OS
> OS_IMAGE_API_VERSION=2
> LESSCLOSE=/usr/bin/lesspipe %s %s
> OS_AUTH_URL=http://control:5000/v3
> OS_PROJECT_NAME=myproject
> OS_PROJECT_DOMAIN_NAME=Default
> OS_USER_DOMAIN_NAME=Default
> OS_IDENTITY_API_VERSION=3
> OS_PASSWORD=abcd123 OS_USERNAME=myuser
> 

> root@control:~# swift stat 
> Account HEAD failed:
> http://control:8080/v1/AUTH_f4190155cae94459b7fda0b270003d7b
> 403 Forbidden Failed Transaction ID:
> tx404403bdc13c43caafea1-005d6bb57a
> root@control:~#

root@control:/etc/swift# cat proxy-server.conf | grep -v ^# | grep -v -e '^$'
[DEFAULT]
bind_port = 8080
swift_dir = /etc/swift
user = swift
[pipeline:main]
pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk ratelimit authtoken keystoneauth container-quotas account-quotas slo dlo versioned_writes proxy-logging proxy-server
[app:proxy-server]
use = egg:swift#proxy
account_autocreate = True
user_admin_admin = admin .admin .reseller_admin
user_test_tester = testing .admin
user_test_tester2 = testing2 .admin
user_test_tester3 = testing3
user_test2_tester2 = testing2 .admin
user_test5_tester5 = testing5 service

[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
### www_authenticate_uri = http://control:35357 # --- doesn't work at all
www_authenticate_uri = http://control:5000
auth_url = http://control:5000
memcached_servers = control:11211
auth_type = password
project_domain_id = default
user_domain_id = default
project_name = service
username = swift
password = abcd123
delay_auth_decision = True

[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = admin,user

[filter:s3api]
use = egg:swift#s3api
[filter:s3token]
use = egg:swift#s3token
reseller_prefix = AUTH_
delay_auth_decision = False
auth_uri = http://keystonehost:35357/v3
http_timeout = 10.0
[filter:healthcheck]
use = egg:swift#healthcheck
[filter:cache]
use = egg:swift#memcache
memcache_servers = control:11211
[filter:ratelimit]
use = egg:swift#ratelimit
[filter:read_only]
use = egg:swift#read_only
[filter:domain_remap]
use = egg:swift#domain_remap
[filter:catch_errors]
use = egg:swift#catch_errors
[filter:cname_lookup]
use = egg:swift#cname_lookup
[filter:staticweb]
use = egg:swift#staticweb
[filter:formpost]
use = egg:swift#formpost
[filter:name_check]
use = egg:swift#name_check
[filter:list-endpoints]
use = egg:swift#list_endpoints
[filter:proxy-logging]
use = egg:swift#proxy_logging
[filter:bulk]
use = egg:swift#bulk
[filter:slo]
use = egg:swift#slo
[filter:dlo]
use = egg:swift#dlo
[filter:container-quotas]
use = egg:swift#container_quotas
[filter:account-quotas]
use = egg:swift#account_quotas
[filter:gatekeeper]
use = egg:swift#gatekeeper
[filter:container_sync]
use = egg:swift#container_sync
[filter:xprofile]
use = egg:swift#xprofile
[filter:versioned_writes]
use = egg:swift#versioned_writes
[filter:copy]
use = egg:swift#copy
[filter:keymaster]
use = egg:swift#keymaster
encryption_root_secret = changeme
[filter:kms_keymaster]
use = egg:swift#kms_keymaster
[filter:kmip_keymaster]
use = egg:swift#kmip_keymaster
[filter:encryption]
use = egg:swift#encryption
[filter:listing_formats]
use = egg:swift#listing_formats
[filter:symlink]
use = egg:swift#symlink
root@control:/etc/swift#



root@control:~# openstack role list
+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| 456aba9b4bf946999a531113027db234 | member |
| 84ebc0d4f53b43799ba145a07e30daf3 | reader |
| a168190a27534cd09085384ff6319dff | admin  |
| c610b247798044b8acddfea94d5b0338 | myrole ...
(more)
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
1

answered 2019-09-04 03:32:51 -0500

ppeereb1 gravatar image

you have:

[filter:keystoneauth] use = egg:swift#keystoneauth operator_roles = admin,user

But your member role is not user but member. Change user to member and it should work.

edit flag offensive delete link more

Comments

1

Many, many thanks for the hint!

[filter:keystoneauth]
operator_roles = admin,member

together with giving the user myuser the correct role

openstack role add --user myuser --project myproject member

solved the issue.

Ion42 gravatar imageIon42 ( 2019-09-07 14:06:56 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2019-09-01 07:58:45 -0500

Seen: 37 times

Last updated: Sep 04